c35fb9a56d5b37a2b957a9a2bf66ea8513c2a8667bc89e756fe5d9bf5abb295f

General

Target

2024-05-17_8fd4aadb0662bf1bf2634d9451332269_avoslocker.exe
Size

6.8MB
MD5

8fd4aadb0662bf1bf2634d9451332269
SHA1

95433fadacf01080e91297836ead17866eca9c54
SHA256

c35fb9a56d5b37a2b957a9a2bf66ea8513c2a8667bc89e756fe5d9bf5abb295f
SHA512

9c74417e492471c04982d95304bae3af5e5685adf7299b81e3a2451726ff22a7b09fdfd8b314284008dcc38d27e4c1a53f43d51eb6503beb73f4aebb1f61a02b
SSDEEP

98304:r9rOvi3HzBvnKFn0MeYttysOx6VamqSJ5a4foWb/LTu:xrOvijBGnBeYtAX+q05aWoEvu

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3684	4812	WerFault.exe	90
1780	4812	WerFault.exe	90

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\2024-05-17_8fd4aadb0662bf1bf2634d9451332269_avoslocker.exe = "11001"	2024-05-17_8fd4aadb0662bf1bf2634d9451332269_avoslocker.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	2024-05-17_8fd4aadb0662bf1bf2634d9451332269_avoslocker.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4812	2024-05-17_8fd4aadb0662bf1bf2634d9451332269_avoslocker.exe
4812	2024-05-17_8fd4aadb0662bf1bf2634d9451332269_avoslocker.exe
4812	2024-05-17_8fd4aadb0662bf1bf2634d9451332269_avoslocker.exe
4812	2024-05-17_8fd4aadb0662bf1bf2634d9451332269_avoslocker.exe
4812	2024-05-17_8fd4aadb0662bf1bf2634d9451332269_avoslocker.exe
4812	2024-05-17_8fd4aadb0662bf1bf2634d9451332269_avoslocker.exe
4812	2024-05-17_8fd4aadb0662bf1bf2634d9451332269_avoslocker.exe
4812	2024-05-17_8fd4aadb0662bf1bf2634d9451332269_avoslocker.exe
4812	2024-05-17_8fd4aadb0662bf1bf2634d9451332269_avoslocker.exe
4812	2024-05-17_8fd4aadb0662bf1bf2634d9451332269_avoslocker.exe
4812	2024-05-17_8fd4aadb0662bf1bf2634d9451332269_avoslocker.exe
4812	2024-05-17_8fd4aadb0662bf1bf2634d9451332269_avoslocker.exe
4812	2024-05-17_8fd4aadb0662bf1bf2634d9451332269_avoslocker.exe
4812	2024-05-17_8fd4aadb0662bf1bf2634d9451332269_avoslocker.exe
4812	2024-05-17_8fd4aadb0662bf1bf2634d9451332269_avoslocker.exe
4812	2024-05-17_8fd4aadb0662bf1bf2634d9451332269_avoslocker.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4812	2024-05-17_8fd4aadb0662bf1bf2634d9451332269_avoslocker.exe
Token: SeIncreaseQuotaPrivilege	4812	2024-05-17_8fd4aadb0662bf1bf2634d9451332269_avoslocker.exe
Token: SeIncreaseQuotaPrivilege	4812	2024-05-17_8fd4aadb0662bf1bf2634d9451332269_avoslocker.exe
Token: SeIncreaseQuotaPrivilege	4812	2024-05-17_8fd4aadb0662bf1bf2634d9451332269_avoslocker.exe
Token: SeIncreaseQuotaPrivilege	4812	2024-05-17_8fd4aadb0662bf1bf2634d9451332269_avoslocker.exe
Token: SeIncreaseQuotaPrivilege	4812	2024-05-17_8fd4aadb0662bf1bf2634d9451332269_avoslocker.exe
Token: SeIncreaseQuotaPrivilege	4812	2024-05-17_8fd4aadb0662bf1bf2634d9451332269_avoslocker.exe
Token: SeIncreaseQuotaPrivilege	4812	2024-05-17_8fd4aadb0662bf1bf2634d9451332269_avoslocker.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4812	2024-05-17_8fd4aadb0662bf1bf2634d9451332269_avoslocker.exe
4812	2024-05-17_8fd4aadb0662bf1bf2634d9451332269_avoslocker.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-17_8fd4aadb0662bf1bf2634d9451332269_avoslocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-17_8fd4aadb0662bf1bf2634d9451332269_avoslocker.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4812
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 2464
  2⤵
  - Program crash
  PID:3684
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 2604
  2⤵
  - Program crash
  PID:1780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4812 -ip 4812
1⤵
PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4812 -ip 4812
1⤵
PID:5024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4360,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=4584 /prefetch:8
1⤵
PID:4556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\{671FB1F0-9720-42C1-9056-6E81E43E0236}\CCDInstaller.js

Filesize
1.2MB

MD5
698687ac9e653b2c7a1b0d2a2ec40505

SHA1
ad6959510eff569cff355f2ac4c5988a6d6a433e

SHA256
142db397e43384d0af407ad59ed5b64371cf054b7645913592ca72d2d848c1c9

SHA512
29c5971005bac00173c96bc3b7ffc4fd5701d2f7ff5a29fc05bd8832ff2b1c850903ebed72baa6e4bbcaa0c6b14670ba1e59d900f3087c0fdb0453bea5d150eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\{671FB1F0-9720-42C1-9056-6E81E43E0236}\index.html

Filesize
426B

MD5
a28ab17b18ff254173dfeef03245efd0

SHA1
c6ce20924565644601d4e0dd0fba9dde8dea5c77

SHA256
886c0ab69e6e9d9d5b5909451640ea587accfcdf11b8369cad8542d1626ac375

SHA512
9371a699921b028bd93c35f9f2896d9997b906c8aba90dd4279abba0ae1909a8808a43bf829584e552ccfe534b2c991a5a7e3e3de7618343f50b1c47cff269d6

Download Submit

Analysis

Sharing